Analysis
-
max time kernel
151s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 20:58
Behavioral task
behavioral1
Sample
V4.exe
Resource
win7-20230220-en
8 signatures
150 seconds
General
-
Target
V4.exe
-
Size
11.4MB
-
MD5
2d0cb9ec97e5abac40a692aab91689c4
-
SHA1
82b37f06255d3c8ec5e088fe5cf7f58fdf27b601
-
SHA256
29a29d55f032057c27090196e48c2cad52bd5bc46642513a344879b95a81f5d6
-
SHA512
33448e712588550d5e77535be52e2e653cd67ffa3e928182d8af68530db3e06960614e7bafcb4c5c66776f72e79954776641406b2e7f0d4946ee7794aceb5d3c
-
SSDEEP
196608:76u3qVKcZ40PqqTOtfsLabW1RoNOL4CRRPG8uVfYW47ZIcZYM2mFIoNqcqT/Cg:76u6C0PqQOtEmbWbhRPG8uVwW4ecZxmD
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
V4.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ V4.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
V4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion V4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion V4.exe -
Processes:
resource yara_rule behavioral1/memory/848-54-0x000000013FF80000-0x00000001416F0000-memory.dmp themida behavioral1/memory/848-55-0x000000013FF80000-0x00000001416F0000-memory.dmp themida behavioral1/memory/848-56-0x000000013FF80000-0x00000001416F0000-memory.dmp themida behavioral1/memory/848-57-0x000000013FF80000-0x00000001416F0000-memory.dmp themida behavioral1/memory/848-58-0x000000013FF80000-0x00000001416F0000-memory.dmp themida behavioral1/memory/848-59-0x000000013FF80000-0x00000001416F0000-memory.dmp themida behavioral1/memory/848-60-0x000000013FF80000-0x00000001416F0000-memory.dmp themida behavioral1/memory/848-61-0x000000013FF80000-0x00000001416F0000-memory.dmp themida behavioral1/memory/848-62-0x000000013FF80000-0x00000001416F0000-memory.dmp themida behavioral1/memory/848-63-0x000000013FF80000-0x00000001416F0000-memory.dmp themida -
Processes:
V4.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA V4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
V4.exepid process 848 V4.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1276 848 WerFault.exe V4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
V4.exedescription pid process Token: SeDebugPrivilege 848 V4.exe Token: SeDebugPrivilege 848 V4.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
V4.exedescription pid process target process PID 848 wrote to memory of 1276 848 V4.exe WerFault.exe PID 848 wrote to memory of 1276 848 V4.exe WerFault.exe PID 848 wrote to memory of 1276 848 V4.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\V4.exe"C:\Users\Admin\AppData\Local\Temp\V4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 848 -s 3682⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/848-54-0x000000013FF80000-0x00000001416F0000-memory.dmpFilesize
23.4MB
-
memory/848-55-0x000000013FF80000-0x00000001416F0000-memory.dmpFilesize
23.4MB
-
memory/848-56-0x000000013FF80000-0x00000001416F0000-memory.dmpFilesize
23.4MB
-
memory/848-57-0x000000013FF80000-0x00000001416F0000-memory.dmpFilesize
23.4MB
-
memory/848-58-0x000000013FF80000-0x00000001416F0000-memory.dmpFilesize
23.4MB
-
memory/848-59-0x000000013FF80000-0x00000001416F0000-memory.dmpFilesize
23.4MB
-
memory/848-60-0x000000013FF80000-0x00000001416F0000-memory.dmpFilesize
23.4MB
-
memory/848-61-0x000000013FF80000-0x00000001416F0000-memory.dmpFilesize
23.4MB
-
memory/848-62-0x000000013FF80000-0x00000001416F0000-memory.dmpFilesize
23.4MB
-
memory/848-63-0x000000013FF80000-0x00000001416F0000-memory.dmpFilesize
23.4MB